Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS12OGdxLTVncnEtOTcyOM4AAu1-
mozjpeg DecompressScanlines::read_scanlines is Unsound
This issue and vector is similar to RUSTSEC-2020-0029 of rgb crate which mozjpeg depends on.
Affected versions of mozjpeg crate allow creating instances of any type T from bytes,
and do not correctly constrain T to the types for which it is safe to do so.
Examples of safety violation possible for a type T:
Tcontains a reference type, and it constructs a pointer to an invalid, arbitrary memory address.Trequires a safety and/or validity invariant for its construction that may be violated.
The issue was fixed in 0.8.19 by using safer types and involving rgb dependency bump.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS12OGdxLTVncnEtOTcyOM4AAu1-
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: about 1 year ago
Updated: 11 months ago
Identifiers: GHSA-v8gq-5grq-9728
References:
- https://github.com/ImageOptim/mozjpeg-rust/issues/10
- https://rustsec.org/advisories/RUSTSEC-2020-0165.html
- https://github.com/advisories/GHSA-v8gq-5grq-9728
Affected Packages
cargo:mozjpeg
Versions: < 0.8.19Fixed in: 0.8.19